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Abstract 

o 

' This paper considers the problem of information-theoretic Secret Key Establishment (SKE) in the 

presence of a passive adversary, Eve, when Alice and Bob are connected by a pair of independent discrete 
memoryless broadcast channels in opposite directions. We refer to this setup as 2DMBC. We define the 
secret-key capacity in the 2DMBC setup and prove lower and upper bounds on this capacity. The lower 
' bound is achieved by a two-round SKE protocol that uses a two-level coding construction. We show that 

the lower and the upper bounds coincide in the case of degraded DMBCs. 

c/j ' I. Introduction 

O 

Secret Key Establishment (SKE) is a fundamental problem in cryptography: Alice and Bob want to 

' share a secret key in the presence of an adversary, Eve. We consider information theoretic SKE where 

QQ ■ there is no assumption on Eve's computational power and assume Eve is passive and can only eavesdrop 

O ■ the communication between Alice and Bob. It has been proven that SKE is impossible if Alice and Bob are 
Q^ ■ 

^T) • connected by an insecure and reliable channel with no prior correlated information II15I . Thus, information- 
theoretic solutions to the SKE problem assume that resources such as channels and/or correlated sources 
^ ■ are available to the parties. We refer to a specific collection of resources available to the parties as a setup. 

One method of establishing a secure key between Alice and Bob is Alice choosing a random key and 
sending it as a message securely to Bob. This is essentially using a secure message transmission protocol 
^ '■ for SKE. In a pioneering work, Wyner ll23l considered the scenario of secure communication over noisy 
■ channels, where there is a Discrete Memoryless Channel (DMC), called the main channel from Alice to 
Bob, and a second DMC, called the wiretap channel, from Bob to Eve, through which Eve can observe 



a (degraded) noisy version of what Bob receives from Alice. See Fig. |l(a)| Wyner defined the secrecy 
capacity, Cg, in this setup as the highest rate of secure and reliable message transmission from Alice 
to Bob. He proved a single-letter characterization for the secrecy capacity that implies the possibility 
of secure message transmission if the main channel has a non-zero (communication) capacity and the 
wiretap channel is noisy. Wyner's work on secure message transmission is important because, contrary to 
the well-known Shannon's model of secure communication |[20l . (i) it does not assume any prior shared 
secret key and, (ii) rather than spending resources to realize noiseless channels, it uses channel noise to 
provide security. Csiszar and Komer ||6l generalized Wyner's wiretap channel setup by introducing noisy 
broadcast channel with two receivers, where there is a Discrete Memoryless Broadcast Channel (DMBC) 
with one sender (Alice) and two receivers (Bob and Eve). See Fig. |l(b)| They determined the secrecy 
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capacity of this setup and showed that secure message transmission from AUce to Bob is possible if Bob's 
channel is less noisy |[T2l . compared to Eve's. The results of this study have been extended to the case 
of Gaussian channels |[T4l . 
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(a) Wyner's wire-tap channel (b) Csiszar and Komer's broadcast channel 

Fig. 1. The comparison of |(a)| Wyner's wire-tap channel and |(b)| Csiszar and Komer's broadcast channel 



The work in |[23l and lH can be used for SKE, inasmuch as achievable rates for secure message 
transmission and secret key establishment become the same in these setups. Later work has followed two 
directions: one aiming at applying the SKE results to real-life communication scenarios such as SKE 
in wireless environments 131, and the second considering SKE in new setups. Public discussion channel 
HI, ll2l^ ifTSl . secure feedback channel 13, modulo-additive feedback channel lT3l . l22l . and correlated 
sources ITOl . lT9l are examples of new ingredients to build such setups. 

Maurer lITSl and concurrently Ahlswede and Csiszar ||T1 studied SKE when there exists a DMBC 
from Alice to Bob (and Eve) and a public discussion channel between Alice and Bob that is unlimitedly 
available to send messages in both directions. This latter channel is reliable but insecure, i.e.. Eve can 
fully eavesdrop the communication. It was shown that SKE in this setup may be possible even in cases 
where the secrecy capacity of the DMBC is zero. The work in lUl, |[T5l also includes the setup where the 
DMBC is replaced with a Discrete Memoryless Multiple Source (DMMS) between the parties. Csiszar 
and Narayan ||7l studied SKE in a slightly different setup that consists of a DMMS and a limited-rate 
one-way public channel from Alice to Bob. Ahlswede and Cai Q showed that the secrecy capacity in 
Wyner's setup can be increased by adding an unlimited secure (and reliable) output feedback channel. This 
channel is only used to feed back the information received at the output of the forward channel. Noisy 
feedback over modulo-additive broadcast channels lT3l . ll22l is another extension of the SKE problem. 
SKE using a DMBC from Alice to Bob and (Eve) and a DMMS between the three parties was considered 
in ITOl and independently in lT9l . 

Assuming the existence of (free) public discussion, secure feedback, or modulo-additive feedback 
channels lets us build setups that allow interactive communication between Alice and Bob. In these 
setups, Alice and Bob can benefit from multi-round SKE protocols to achieve higher secret-key rates. 
In practice, however, such channels may not exist and it may not be necessarily the best strategy (for 
maximizing the secret-key rate) to realize them from given resources. 



A. Our work 

We consider a new setup for SKE where Alice and Bob are connected by a pair of independent DMBCs 
in opposite directions. We refer to this setup as 2DMBC. This setup is a realistic scenario that models 
wireless networks where two nodes communicate over wireless channels in two directions, and their 
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communication is eavesdropped by neighbors in their communication range. The 2DMBC setup gives the 
promise of interactive communication, while the only resources provided to the parties are DMBCs. 

We define SKE in the 2DMBC setup as a multi-round protocol between Alice and Bob with the aim 
of establishing a secure and reliable key. In analogy to the secrecy capacity ||6l, |[T5l . |[23l . we define the 
secret-key capacity in this setup, denoted by Cj^^^^^ , as the maximum achievable secret-key rate, in 
bits per use of the channel. We have the following results. 

1) Lower bound: We give a lower bound on the secret-key capacity. We propose a two-round SKE 
protocol that uses a two-level channel coding construction, and prove that it achieves the lower bound. 
Our lower bound can also be derived by using the SKE protocols in the DMMS-and-DMBC setup |[TOl . 
|[T9l . However, while the SKE protocols proposed in ifTOl . |[T9l are combinations of different constructions 
for different cases (depending on the setup's specification), our proposed SKE protocol uses a concrete 
construction that achieves the lower bound for all cases. 

2) Upper bound: We prove an upper bound on the secret-key capacity. This bound holds for all the 
secret-key rates achievable by SKE protocols with no limitation on the number of communication rounds. 

3) Degraded IDMBCs: We study the 2DMBC setup when the broadcast channels are degraded. We 
show that in this setup the lower and the upper bounds coincide, and the secret-key capacity can be 
achieved by a one round SKE protocol. This implies that, in the case of degraded 2DMBCs, interactive 
communication cannot improve the secret-key rate and the optimal solution is key transport, i.e., one party 
choosing a key and sending it securely though the (one-way) DMBC, i.e., following the the work in 161. 

B. Discussion 

1) Types of key establishment protocols: We observe that SKE in the 2DMBC setup can take one of 
the following forms: 

(A) Key Transport, where one party selects the key prior to the start of the protocol and the protocol is 
mainly used to deliver the key to the recipient in a secure and reliable manner. 

(B) Key Agreement, where the final secret key is not selected by a single party prior to the start of 
the protocol. Instead, it is a (possibly randomized) function of the inputs of the two parties. The 
randomness in the function comes from the channel noise. 

We note that method (A) is essentially secure message transmission, while method (B) is purely for sharing 
a secret key. It may be argued that key agreement protocols (type (B)) offer a higher level of security as 
the key is not determined by a single party. 

2) Secrecy capacity vs. secret-key capacity: The secrecy capacity was originally defined in O, ||23]| 
for secure message transmission over one-way noisy channels. The definition secret-key capacity was first 
defined in IH. Following these two definitions, one can define secrecy capacity and secret-key capacity 
for a given setup. As discussed in Section II-B1[ a protocol for secure message transmission in a setup 
can always be used for SKE in that setup, and so, in any setup, the secret-key capacity is at least equal 
to the secrecy capacity. 

In 161, l23l . there is only a one-way channel from Alice to Bob (and Eve) and the only way to establish 
a key is to use choose one and send it using a secure message transmission protocol. Hence the secret-key 
capacity is equal to the secrecy capacity. The same result holds for setups that include a (free) public 
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discussion channel HI. Cl^ 1031 since any SKE protocol can be used along with a one-time pad encryption 
for the purpose of secure message transmission. In the 2DMBC setup, however, the two capacities are 
not necessarily the same. This is because the only accessible channels are noisy channels and to send the 
encrypted message (using the established key) a reliable communication channel needs to be constructed 
first. The relationship between the two capacities is not in the scope of this paper. 

3) Strong and weak secrecy/secret-key capacity: The notion of secret-key capacity defined in this 
paper follows the definition of secrecy capacity in |[23l and later in HI, 161, ifTOl . |[T5l . |[T9l . The secrecy 
requirement in these definitions is "weak" because it requires Eve's uncertainty rate to be negligible. A 
"stronger" variation is requiring Eve's total uncertainty to be negligible. Maurer and Wolf |[T6l showed 
that replacing the (weak) secrecy requirement by the stronger one does not decrease the secrecy capacity 
of setups considered in O, |[T5l . ll23l . A similar proof can be used to show that the secrecy -key capacity 
in the 2DMBC setup remains the same, regardless of which secrecy requirement is used. This means that 
our results are also valid for the strong secret-key capacity. 

C. Notation 

We use calligraphic letters (U) to denote finite alphabets. We denote random variables (RVs) and their 
realizations over these sets by the corresponding letters in uppercase ([/) and lowercase (n). The size 
of the set U is denoted by \L{\. is the set of all sequences of length n (so called ?i-sequences) with 
elements from U. C/" = {Ui,U2, ■ ■ ■ ,Un) € denotes a random n-sequence in U^. 

Let X be an RV over the set X, denoted hy X £ A^. We denote its probability distribution by Px and 
its entropy by H{X). Given a pair of RVs, {X, y) € <^ x 3^, we denote the joint distribution of X and 

Y by Pxy and their joint entropy by H{X, Y). The conditional probability distribution and the entropy 
of Y given X are denoted by Py\x and H{Y\X), respectively. The mutual information between X and 

Y is denoted by I{X; Y). Given RVs {X, Y, Z) e X x y x Z, vje denote by Py,z\x the conditional joint 
distribution of Y and Z when X is known, and by I{X;Y\Z) the mutual information between X and Y 
when Z is known. X ■H- Y Z denotes a Markov chain between the RVs X, Y, and Z in this order. 
We use 'j|' to show the concatenation of two sequences. For a value x, we use [x]+ to show max{0,x}. 

D. Paper organization 

The rest of the paper is organized as follows. Section|II]gives the setup and definitions. In Section Hill we 
prove a lower bound on the secret-key capacity in this setup. We prove an upper bound on this capacity 
in Section JV] The degraded 2DMBC setup is studied in Section [V] Section |Vl] gives the concluding 
remarks. 

II. Preliminaries and Definitions 

A Discrete Memoryless Channel (DMC), denoted by X — > y, is a channel with input and output 
alphabet sets X and 3^, respectively, where each input symbol X £ X to the channel results in a single 
output symbol Y £ y, that is independent of previously communicated symbols. The channel is specified 
by the conditional distribution -Py|.Y- 

A Discrete Memoryless Broadcast Channel (DMBC), denoted by X — > (Y, Z), consists of two (not 
necessarily independent) DMC's, i.e., X ^ Y and X ^ Z. The channel is specified by the conditional 
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distribution -Py,z|x- The secrecy capacity of the DMBC, X — )• {Y, Z), is defined as the maximum rate at 
which Alice can reliably send information to Bob such that the rate at which Eve receives this information 
is arbitrarily small ll6l. |[23l. 

Definition 1: lH, ll23l The secrecy capacity of the DMBC, specified by -Py,z|X' is denoted by Cs{Py,z\x] 
and is defined as the maximum real number Rg > 0, such that for every 6 > and for sufficiently 
large A^, there exists a (possibly probabilistic) (2^',A^) encoder, e : {0,1}'^ X'^ with a decoder, 
d : {0, 1}''", such that for a uniformly distributed binary A;-sequence W^, we have X'^ = e{W^), 

W'^ = diX^) and the following conditions are satisfied: 

\H{W^\Z^)>\-5 . 



It has been proved that ||6l 

Cs{Py,z\x) - 



max [I{W; Y) - I{W; Z)] > max[I{X; Y) - I{X; Z)], 



(1) 



where is a random variable from an arbitrary set W such that W X {Y,Z) forms a Markov 
chain. 

We define a 2DMBC as a pair of independent DMBCs, i.e., a forward DMBC from Alice to Bob, 
Xf — )• {Yf, Zf), specified by i-V/,Z/|X/ o^^r the finite sets Xf,yf, Zf, and a backward DMBC from Bob 
to Alice, Xi, (Yfe, Z;,), specified by /V,,z,|x, over X^, J^;,, Z^. See Fig. El 
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Fig. 2. The 2DMBC setup 



We consider the scenario where the 2DMBC is used to establish a shared secret key between Alice 
and Bob. Alice and Bob use a (possibly) multi-round SKE protocol to exchange sequences of RVs in 
consecutive rounds. In each communication round, either Alice or Bob sends a sequence of random 
variables (RVs) as the DMBC input. The legitimate receiver (in this round) computes a sequence of RVs 
to be sent in the next communication round. This sequence may depend on all previously communicated 
(sent and/or received) sequences of RVs. At the end of the last communication round, each party (including 
Eve) will have a set of communicated sequences, which form their "view" of the protocol. Let the RVs 
View A, ViewB, and ViewE be the views of Alice, Bob, and Eve, respectively. Using their views, either 
Alice or Bob computes a secret key S, while the other one computes an estimation of the key S. In a 
secure SKE protocol, the established key is required to be random, reliable and secret. These security 
requirements are formally defined below. 

Definition 2: For Rg^ > and < 5 < 1, the SKE protocol 11 in the 2DMBC setup is {Rgk, 6)-secure 
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if it results in the key S and its estimation S such that 

H{S) 



> R 



sk 



Pr(S ^S) <6, 
H{S\ViewE) 



H{S) 



>l-6, 



(2a) 

(2b) 
(2c) 



where n f and nf, are the number of times that the forward and the backward channels are used, respectively. 

When 6 tends to zero, Rsk indicates the secret-key rate achievable by protocol 11, i.e., the ratio of the 
key entropy to the total number of channel uses. We define the secret-key capacity as follows. 

Definition 3: The secret-key capacity of a 2DMBC, with forward and backward channels specified by 
PYf,Zf\Xf,PY„z,\x,^ is denoted by C'^k^^^^{PY^^Zf\Xf,PY„z,\xJ and is defined as the largest Rsk > 
such that, for any arbitrarily small <5 > 0, there exists an (iJ^fc, 5) -secure SKE protocol. 

III. The Secret-Key Capacity: Lower Bound 

Let the RVs Xt, Yr, Zr (resp. Xf,, Yf,, Z5) be consistent with the distribution Py, z,\x, (resp. Py, zJxJ' 
specified by the channel. Let Vj, Vb, Wij, W2J, Wi^b, W2.b be random variables from arbitrary sets where, 
Vf, Vb, {Wij,W2j), and {Wi,b,W2.b) are independent and the following Markov chains are satisfied: 



Vj^Yj^{Xf,Zf) 

W2,b^Wi,b^Xb^{Yb,Zb), 

Vb^Yb^ {Xb, Zb) 

W2J o Wij ^ Xf ^ {Yf,Zf). 

Theorem 1: Taking the above variables and letting 

Rf,=IiVf,Xf)-I{Vf,Zf), 

= HWi,b; Yb\W2,b) - I{Wi,b; Zb\W, 



2M 



Rf,=I{Vb;Xb)-I{Vb;Zf), 



Rf2 = HWij;Yf\W2,f) - I{Wij; Zf\W2,f), 
the secret-key capacity is lower bounded as 



where 



La = max 



Lb = max 



Uf +nb 

■ nbRf,+nf[Rf^]. 
Uf + nb 



s. t. nfI{Vf;Yj\Xf) < ^^/(t^i,,; n)} 
s. t. nbI{Vb;Yb\Xb) < nfI{Wij;Yf)} 



(3a) 
(3b) 
(3c) 
(3d) 

(4a) 
(4b) 
(4c) 
(4d) 

(5) 

(6) 
(7) 



Proof: Appendix El 
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The proof of Theorem [T] uses a concrete two-round SKE protocol with a two-level coding construction. 
We give an outline of the protocol for a special case where Alice is the initiator, and we have Vj = Yf, 
Wi^b = Xb, and W2,b = 1- Let rjt, rjb, Rf, and k be defined as 

r]f = nfH{Yf), 
Vt = nfH{Yf\Xf), 
r]b = nbI{Xb]Yb) - r]t, 
A nfRj^ + nb[Rj2]+ 

At = (nj + nb)R^ ■ 

Alice chooses nj copies of Xj independently and identically distributed (i.i.d.) w.r.t. Px; to create the 
nj-sequence X^ , and sends it over the forward DMBC. Bob receives Y'^' and maps it to an integer 
F ^ F = {1,2, . . . ,2^'} using a deterministic bijective mapping. He encodes F to an integer T = 
{1, 2, 2''* }; this is the first level of encoding. Bob chooses a uniformly random integer B ^ B = 
{1, 2, . . . , 2''''} and encodes {T,B) to an ?i;,-sequence X^*", this is the second level of encoding. The 
constructions of these encoders for the general case are described in Appendix |Al Bob sends X^*" over 
the backward channel and Alice receives Y^'''' . She first decodes Y^^ to (T, B) and then uses T to find the 
appropriate codebook for decoding X^^ and to F (and hence YJ'). The decoder uses the jointly-typical 
decoding technique. 

The secret key is obtained by calculating S = g{F, B), where 5 is a function defined as follows. Letting 
{^i}i=i be a partition oi F y^B into 2** equal-sized parts, the function g : F x B ^ {1,2, . . . , 2'^} is such 
that, for every input F,B ^ Qi, outputs i. In Appendix |Al we show that there exist appropriate encoding 
and decoding functions that can be used to achieve the lower bound. 

IV. The Secret-Key Capacity: Upper Bound 
Let the RVs Xf,Yf,Zf and Xb,Yb,Zb correspond to the 2DMBC setup specified by PYj,Zj\Xf ^nd 
Py„z,\x,, respectively. 

Theorem 2: The secret-key capacity in the 2DMBC setup is upper bounded as 

C^f*'^^ < max {IiXj;Yj\Zj),I{Xb;Yb\Zb)} (8) 

Proof: Appendix IbI 

The upper bound is proved for the highest key rate achievable by a general SKE protocol with an 
arbitrary number of communication rounds. 

V. Degraded 2DMBCs 

We define degraded 2DMBCs and prove that the lower and the upper bounds on coincide in the 
case of degraded 2DMBCs. Moreover, this capacity is achieved by a one-round SKE protocol that uses 
one of the DMBCs. 

Definition 4: The DMBC X — > {Y, Z) is called obversely degraded if X 1" o Z forms a Markov 
chain. It is called reversely degraded if X ^ Z Y forms a Markov chain. 
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We say the DMBC X {Y, Z) has two independent subchannels, Xq {Yo,Zo) and Xr — )■ 
(YrjZ/j), if its input X and output {Y, Z) can be represented as X = [Xo,Xji], Y = [Yo,Yji] and 
Z = [Zq , Zr] , respectively, such that 

{Yo, Zo) ^Xo^Xr^ {Yr, Zr) 

forms a Markov chain. 

Definition 5: The DMBC X — )• {Y, Z) is called degraded if it can be represented by two independent 
subchannels, Xq {Yo,Zo) and Xr — > {Yr,Zr), such that the former channel is obversely degraded 
and the latter channel is reversely degraded, implying that 

Zo ^ Yo ^ Xo ^ Xr ^ Zr ^ Yr 

is a Markov chain. 

Note that Definition |5] covers cases where the DMBC is either obversely or reversely degraded. In such 
cases, in fact only one of the subchannels exists, and the other one can be defined over empty sets of 
input and outputs. 

Definition 6: A 2DMBC is called degraded if both of its one-way DMBCs are degraded. 
Theorem 3: For the degraded 2DMBC, specified by Xf — (Ij, Zf) and X^ (Yj,, Zf,), where 

= [Xf,o,Xf^R], Yf = [Yf^o,Yf,B], Zf = [Zf^o,Zf^R\, 
= [Xb,Oi Xb^Rli Yb = [Yb^OiYb^R], Zb = [Zb^o,Zb,R], 

we have 

^d-2DMBC ^ {I{Xf,o; Yf.p\Zf,p), l[Xb,o\Yb,o\Zbfi)\- 

Proof: Appendix O 

VI. Conclusion 

The work on key establishment over a pair of independent discrete broadcast channels (the 2DMBC 
setup) is inspired by real-life communication between peers, e.g., in wireless environments where the 
communication between two peers is intercepted by neighbors in the communication range. We defined 
the secret-key capacity in this setup and provided lower and upper bounds on this capacity. The lower 
bound is achieved by a two-round SKE protocol that uses a two-level coding construction. We showed that, 
when the broadcast channels are degraded, the lower and the upper bounds coincide and the secret-key 
capacity is achieved by a one-round SKE protocol using one of the DMBCs. 
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Appendix A 
Proof of Theorem [H the lower bound 

In parts of the proof, we use the channel coding theorem (e.g., ||4l Theorem 8.7.1]), with a decoding 
method based on so called jointly-typical bipartite sequences. A bipartite sequence X'^ = {U"'\\T'^) is 
the concatenation of two subsequences, [/" and T'^, with two (possibly different) probability distributions, 
and , respectively, where N = n + d. We extend the definitions of jointly typical sequences to 
bipartite jointly typical sequences as follows. 

Definition 7: A sequence = is an {e,n)-bipartite typical sequence with respect to the 

probability distribution pair {Pif{u), Pxit)), iff 

, 1 , ... /Vn nH(U) + dH(T) , 

I - _logP(x^) ^—L^ ^1 < e, (9) 

where P{x^) is calculated as 

N n d 

Pix"") =llP{xi) ='[lPuiu^) X IIPt{U). (10) 

i=l i=l 1=1 

Definition 8: A pair of sequences (x^,y^) = {u'"-\\t"^)) is an {e,n)-bipartite jointly typical 

pair of sequences with respect to the probability distribution pair {Pu^u'{u,u'), PT,T'{t,t')), iff x'^ 
and are (e, n)-bipartite typical sequences with respect to the marginal probability distribution pairs 
{Puiu),PT{t)) and {Pu'iu'), P/p{t')), respectively, and 

where P{x^,y^) is calculated as 

N n d 

Pix"" ,y'') = llP{x^,y^) = llPu,U'{Ui,u'^ xllPT,T'{ti,t'i}. (12) 

i=l i=l i=l 

Definition 9: The set Ai^'"'^ is the set of all (e, n)-bipartite jointly typical pairs of sequences {x^ , y^) = 
((it"||t°'), with respect to the probability distribution pair {Pu^i/>{u,u'), PT^T'{t,t'))- 

Theorem 4: (Joint AEP for bipartite sequences) Let {X^,Y^) = (([/"HT"^), {U"'\\T"^)) be a pair 
of bipartite random sequences of length N, (each part) drawn i.i.d. according to the distribution pair 

{Pu,U'{u,u'), PT,T'{t,t')). Then, for large enough n and d, we have 

1) Pr((X^,y^)€4^'"))^l 

2) (1 - (:^2'^H(U,U')+dH{T,T')-Ne ^ |^(^'")| < 2'"-f^(f^''^')+'^-H'{T,T')+Afe 

3) If X'^ and Y'^ are independent with the same marginal distributions as P{x^ ,y^), i.e., {X^ ,Y^) 
is generated according to the distribution P{x^)P{y^), then 

Pr((x^,y^) e ^(^'")) < 2-"^(^;^')~'^^(^''^')+3^^ (13) 

Pr((X^,y^) € 4^'")) > (1 - ,)2--i(um~di{T;T')-:iNe^ (14) 

Proof: Appendix iDl 
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To prove Theorem [U in the following, we propose a two-round SKE protocol, based on a two-level 
coding construction, that achieves Q when Alice initiates the protocol. One can show in a similar way 
that ([7]) is achievable when Bob is the initiator. 

Let the RVs Vf,Xf,Yf,Zf, and Wi^b,W2.b,Xb,yb, Zb be the same as defined in Section Hill (for 
Theorem [U; hence, the Markov chains in Q are satisfied. Also let Uf and 77,5 be integers that satisfy 
the constraint condition in Q. For simplicity, we use Wi,W2, and V to refer to Wifi,W2,b, and Vf, 
respectively. Accordingly, we write the argument to be maximized in ^ as 

nfR^^ + nb[R^2]+ .... 

R-sk = ; (.ijj 

Uf + nb 

where 

Rf, = I{V;Xf)-I{V;Zf), (16a) 
Rs2 = IiWi;Yb\W2) - IiWi;Zb\W2), (16b) 
and we rephrase the constraint condition in Q as 

nbIiWi;Yb)>nf{I{V;Yf\Xf) + 3a), (17) 

where a > is an small constant to be determined (later) from 6. We shall show that for any given 6 > 0, 
for sufficiently large nj and Ub that satisfy ([TT] ). we have 

H{S) >Rs-S, (18a) 

Uf + nb 

Pr(5 ^S) <S, (18b) 

His\zy, z, 

HiS) 

We describe a two-level coding construction and prove that it can achieve the above secret-key rate. Let 
N = Uf + Ub and e,/3 > be small constants determined from a such that 3A^e < n^/? = Ufa. Let 
nb = nb,i + nb,2, where nb^2 is chosen to satisfy 

nb,2l{Wi; Yb) = nf{I{V- Yf\Xf) + 3a). (19) 

We first define the following quantities, sets and function which are used in the sequel. 

T^f = nf[I{V;Yf) + al (20) 

m = nb,2[I{Wi;Yb) - r]t,2 = nb,2l(W2; Yb), r]t,i = Vt - Vt,2, (21) 

r]b = nb^i[I(Wi;Yb) - [3], 'nb^2 = nb^iI{W2;Yb), %,i = %-r/fe,2, (22) 

Vi = Vt,i + Vb,i, m = r?i,2 + Vb,2, V = Vf + Vb, (23) 

K = {uf + nb)Rsk, J = r] - K. (24) 

Although the quantities obtained in (fT9l)- (l24l ) are real values, for sufficiently large rib and nj, we can 
approximate them by integers. Since /? can be made arbitrarily small, we can assume 7]b and rjt are non- 
negative. Furthermore, it is easy to see that, for arbitrarily small a, we can assume rjf > r]t and 7 is 



->l-6. (18c) 
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non-negative. We show them respectively as follows 

r]f= nf[I{V;Yf,Xf) + a] = nfI{V;Xf) + nfI{V;Yf\Xf) + Ufa 



n 



fI{V-Xf)+rn,^2l{Wi,Yk) -2nfa> 71^,2/(^^1, Ifc) -2nfa>r]t- 2nja, 



V =r]f + Vb = n fI{V; Xf)+ 71^,3/(^^1 , Yb) - 2n/Q + nh,iI{Wi , Yb) 

> nfI{V;Xf) +nbI{Wi,Yb) - 2n/a > Uf^ + i?^2 " 2f^/a > ^ - 2n/a, 

where equality (a) is due to the Markov chain Xf Yj -H- V, and the rest of the steps follow from the 
above relations ([T5])- (|24l) . The following sets and functions are used to design the SKE protocol. 

(i) V"^ is the set of all possible 7ij-sequences with elements from V. Create Ve^ by randomly and 
independently selecting 2"^^ e-typical sequences (w.r.t. Py) from V"^. 

(ii) Let f : Vf^ — ?• J-" = {1, 2, . . . , 2''' } be an arbitrary bijective mapping; denote its inverse by f~^. 

(iii) Let {Vf ^ }j=i be a partition of Vf^ into 2^* equal-sized parts. Define the function t : Ve^ — )■ T = 
{1, 2, ... , 2''*} such that, for any input in V"^^, it outputs i. 

(iv) Let {7i}^2^ be a partition of T into 2''''^ equal-sized parts. Label elements of part z as 7i = {Uj}^*^^. 
Define Undx : T ^ {1, . . . , 2'''-^} x {1, . . . , 2^* i} such that Undxit) = {id), if t is labeled by Uj. 

(v) Let 5 = {1, 2, ... , 2^"}. In analogy to T, let {Bi}f2i be a partition of B where Bi = {hi^j}f^l . 
Define bi^^a; : S ^ {1, . . . , 2''''-=} x {1, . . . , 2'?' i} such that bindx{b) = if b is labeled by 

(vi) Let {Qi}^li be a partition of x ;B into parts of size 2"^. Define g : T x B ^ {1,2, . . . , 2"} such 
that, for any input in Qi, it outputs i. 

(vii) Define the codebook C2 as a the collection of 2^^ codewords {wg*^,^ : t2 = 1, 2, . . . , 2''' % 62 = 
1,2,..., 2''*'^ }, where each codeword w^^^ ^2 length rib and is independently generated accord- 
ing to the distribution 

rib 

JJp(VF2 = W2,t.,b.(i))- 
i=l 

(viii) For each 63 > define the codebook Ci {w^^ b^ ) '■'^^ collection of 2''^ codewords {tw" '^^ : ti = 
l,...,2'''i 61 = 1, 2^''i }, where each codeword, TUi^^b^,*!,^!' is of length 7ib and is independently 
generated according to the distribution 

1=1 

(ix) Let Eiic : T X B ^ W"'' be an encoding function such that Enc{t,b) = w^\^ using the 
above codebooks, where (^2,^1) = Undxit) and (62,^1) = bindx{h)- 

(x) Let DMCw be the DMC, Wi X^, that is specified by Px^lWi- 

Encoding. Alice selects an i.i.d. nj-sequence X^^ and sends it over the forward DMBC. Bob and Eve 
receive Y^^ and Z^^, respectively. Bob finds a sequence V^'f S Vf^ that is e-jointly typical with Y^^ 
(w.r.t. he returns a NULL if no such sequence is found. He computes T = {{V""*') and then selects 

an independent uniformly random B £ B. Bob calculates (T2,Ti) = UndxiT) and {B2,Bi) = bindx{B), 
and use them to calculate W^'' = Enc{T, B) (see the encoder construction in (ix)). Next, he inputs W"*" 
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to DMCw to compute X^', and sends X^' over the backward DMBC. Alice and Eve receive Y^'' and 
Z^', respectively. 

Decoding. Alice first finds a unique codeword W^'' € Ci that is e-jointly typical to Y^'' (w.r.t. Pwi,Yb)\ 
she returns a NULL if no such sequence is found. She obtains (T, B) such that Enc{T, B) = W^^ , and 
then finds a unique codeword V"^' € V^^ that is e-jointly typical to (w.r.t. Py.x,)', she returns a 
NULL if no such sequence is found. 

Key Derivation. Bob computes F = f(F"^) and S = g{F,B); AUce computes F = f{V'^f) and 5 = 

Fig. [3] shows the connection chain between the random variables/sequences used in the above protocol. 
Two variables/sequences are connected by an edge if (1) they belong to input/outputs of the same DMBC, 
or (2) one is computed from the other by Alice or Bob using a (possibly randomized) function. The 
Markov chain Qi ^ Q2 Q3 holds, if (resp. Qi) is computed from Q2 by a (possibly randomized) 
function Q2) where R is independent of Qi (resp. Q3). 




B Alice Bob 

(a) Encoding and decoding (b) Key derivation by Alice (c) Key derivation by Bob 

Fig. 3. The relation between the variables/sequences used in the SKE protocol for |(a)| encoding/decoding, |(b)| key derivation by 
Alice, and |(c)| key derivation by Bob 

Uniformity Analysis: Proving dlSal l 

We show that S'g{1,2,...,2''} has a distribution close to uniform. First, we argue about the distributions 
of Vf, F, and B. 

In the encoding phase, V^' is chosen to be e-jointly typical with (w.r.t. Pv,Yf)- From AEP, for 
each f"^ G Vf', there are at most 2"^(^(^^l^)"'"'^) sequences in that are e-jointly typical with v'^f; 
each appearing with probability at most 2^"^^^^^^)"'^^ and so letting 

V,^f = {yy G y?^ : is e-jointly typical w.r.t. Py.y}, 
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we have 

< 
< 

^i]f-5Ne<nf{I{V;Yf)-2e) < HiV'f) < i]f = nf{I{V;Yf) + a), (26) 

where the upper bound on Hi^f) is due to \Ve^\ = T^f (see (i)). Since F = ^{V^^ ) (see the key 
derivation phase) and f is a bijective function (see (ii)), we have 

V/ G 7-, Pr(F = /) = Pr(y"/ = rHf)) 

^rjf- 5Ne < nf{I{V; Yf) - 2e) < H{F) < r?/, (27) 

Further, B is selected uniformly at random from B of size % (see (v) and the encoding phase), and so 

V6 e B, Pt{B = h) = 2"'"' ^ H{B) = r]b. (28) 

From (vi) and the key derivation phase, there are 2'^ choices for the key S; hence H{S) < k = {nf+ni,)Rs. 
For every i G {1,2,... ,2'*}, the probability that S = i equals to the probability that (F, B) € Gi- More 
specifically (see (l23]l and ((24l) ). 

Vi: Fi{S = i) = Pt{F = f A B = b) 

_ 2-(«-5Af<:) 

^ (n/ + nfc)(/2, -(5) < K-5iVe < H{S) < {nj + nb)Rs, 5 > 5e. (29) 
Reliability Analysis: Proving dlSbl) 

We shall show that S = S with high probability. The encoding phase is successful with high probability: 
since there are rjf = nf[I{V;Yf) + a] sequences in Ve^ , from joint-AEP, with probability arbitrarily 
close to 1, there exists a F"^ G Ve^ that is e-jointly typical with (w.r.t. Pv,Yf)- The decoding phase 
includes two levels of decoding. First, Alice decodes Y^^'' to T and B. There are 2^*''^'^* codewords W^'' 
in the codebook Ci. From ((2TI) and ((22l) . we have 

= ri6,2/(H^i; n) + nb,iI{Wi-Yb) - n^/? < n,/(t^i; n) - 3iVe < n;,[/(t^i; F,) - 3e]. 

Hence, from joint-AEP, with high probability there exists a unique sequence W^*" that is e-jointly typical 
decoding to Y^*" . In the second level of decoding, Alice focuses on V^^ as a codebook and looks for a 
unique codeword V^' € V^' that is e-jointly typical to XV . From (i) and (iii), there are 2^'^~^* codewords 



^Fr{Y;'=yy) 



2nfH(Yf\V)+nfe ^ ^-nsH{Yf)+nje 

^ni{-I{V-Xi)+2e) ^ 2-'?/+5A^t_ (25) 
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in this codebook, and we have 

r]f-m = nf{I{V;Yf) + a)-nb,2[I{Wi;Yb)-l3] 

nf{I{V;Xf,Yf) + a) - nb,2l{Wv,Yh) + nh,2P 



= nfI{V; Xf) + nf{I{V- Yf\Xf) + 3a) - 71^,2/(^^1; Y^) - 2n/Q + nb,2/3 

< nfI{V\Xf) - ^Ne < nf{I{V;Xf)-3e). 

Equahty (a) follows from (l20t and (|2TI) . equality (b) is due to the Markov chain V -H- Yf Xf, and 
inequality (c) follows from ( fT9l ). Hence, from joint-AEP, the appropriate V^' € V^^ is found with high 
probability. The rest is key derivation which is deterministic and does not increase the error probability, 
i.e., the error probability at the end of the protocol is upper bounded by that of the decoding phase. This 
gives Pr(S' ^ S) < 5 for arbitrarily small 5. 

Secrecy Analysis: Proving dlScl l 

We shall show that the H{S\Zy , Zj^') is close to H{S). We first calculate the quantities H{T), H{T2), 
and H{B2), that are used in the sequel. From the encoding phase, T = i{V'^'), and we have (see (i), (iii) 
and dlB and (|25] )) 

ViGT, Pr(T = t) = Pr(y"^ = 1."^) 

< 2'^f~'^*2~^^~^^'^'^ = 2"^*+^^*^ (30) 
^r]t-5N€ < H{T)<r]t, (31) 

where the upper bound on H{T) is due to |T| = 2'''. From the encoding phase (T2, Ti) = iindxiT), and 
we have (see (iv) and (|2TI) and (l30l )) 

ViG {!,..., 2^''^, Pr(r2 = i) = Pr(rG7I) =5]Pr(T = i„) 

j=i 

^ 2'?'.! 2"^*+^^"^ = 2~^*'2+5''^^ 

^r?i,2-5iVe < HiT2)<Vt,2, (32) 

where the upper bound follows from |72| = 2'''^. Likewise {B2,Bi) = bindx{B) and so, using (V) and 
(I22I1 . we have 

Vi G {1,...,2''^'^}, Pr(B2=z) = Pr(SGSi) = ^Pr(S = 6ij) 

i=i 

— 2'''''i2~^'' = 2"^''^ 

^//(S2) = %,2. (33) 

In Lemma m we give a lower bound for H{S\Z^^ , Zj^'''). Lemma |2] is used to show that this lower 
bound is arbitrarily close to H{S). Finally, Corollary [T] uses the results of these two lemmas to prove 



Lemma 1: Eve's uncertainty about the secret 5, satisfies 



H{S\Z'j',Z;^') > H{S) - H{F,B\S,T2,B2,Z'^f,Z;;') - ime. 



16 



Proof: 



= H{S, F, B\T2, B2, Zy,Z;^^) - H{F, B\S, T2, B2, Z^ .Z^^) 
= H{F,B\T2,B2, Zy , Zl" )-H{F,B\S,T2,B2, Z^ , Z^^ ) 

= H{F, B\T2, B2) - I{F, B- Z;^ Z,"'|r2, B2) - H{F, B\S,T2, B2, Z]' , Z^^).(34) 

In (l34l ). the last term appears in the statement of Lemma [T] so it remains to calculate the first two terms 
terms. The first one is written as 

H{F,B\T2,B2) = H{F\T2,B2) + H{B\F,T2,B2) = H{F\T2) + H{B\B2) 

H{F) + H{B)-H{T2)-H{B2) (35) 

> 77/ - 5iVe + ?76 - ?7t,2 - ?7fc,2 
(d) 

> nf{I{V; Yf) - 2e) + nhAHWuYt) - /3] - nb,2l{W2;Yb) - 716,1^(^^2; n) 
UfliV; Xf) + n.fliV; Yf\Xf) - 2n/e + nb,i/(M^i; n) - ^^/(VKa; n) - nb,if3 

= nfI{V;Xf) + nf {I{V- Yf\Xf) + Za) + 71^4/(^^1 ; n) - ni,I{W2 ; n) - 3n/a ™ 7ib/3 - 2n je 
nfI{V- Xf) + nb,2l{Wi-Yb) + 716,1/(1^1; n) - nbI{W2]Yb) -iufa^ n^P - 2n/e 

> nfI{V- Xf) + nb/(VKi; n) - nbI{W2]Yb) - UNe 

= nfI{V;Xf) + nbI{Wi;Yb\W2)-UNe (36) 

Equality (a) holds since B2 and B are selected independently of T2 and F; equality (b) holds since 

T2 and B2 are deterministic functions of F and B, respectively (see the encoding phase); inequality (c) 

follows from (EUl, and (l33]l; equality (d) follows from and (|22l); equaUty (e) is due 

to the Markov chain Xf ^ Yf ■(^ V and (viii); equality (f) follows from (f79l ). and equality (g) is due to 

the Markov chain W2 Wi Yi). 
The second term in (l34l) is written as 



liF B- , Zl^ IT2, B2) = I{F B; Zy \T2,B2) + I{F B; {Z^ , T2, B2) 

(a) 



I{V"f , B; Zy \T2, B2) + lir'i- , T, B; Z,"' {Z"/ ,T2,B2 
I{V"f , B; Zy \T2, B2) + I{T, B; Z^^ {Z^ , T2, B2) 



< /(v"^ , B- zy \T2, B2) + /(T, B- z;;" \t2, B2) 

(d) 

< /(V"^;Z;0 + /(T,B;dT2,B2) 



(/) 



/(y-/ ; + mm{[H{T, B\T2, B2)], [I{T, B; Z^' \T2,B2)]} 

I{V"f ; Z^' ) + mm{[H(T\T2) + H(B\B2)], [H{Z]:>' \T2, B2) - H{Z]:>'\T, B, T2, B2)]} 

J(V"^ -,2^) + mm{[H{T) - H{T2) + H{B) - H(B2)], [H{Z;;>- \T2, B2) - H{Z'^^ \T, B)]] 
(9) 

< nfI{V;Zf) + mm{n4I{Wi;Yt) ~ I{W2;Yb)] - 5Ne, [H{Z'^»\T2, B2) - H {Z^" \T , B)]} 
(h) 

< nfI{V-, Zf) + mm{nt[I{Wi-,Yb) ~ I{W2-,Yb)] - 5Ne,nb[H{Zb\W2} - H{Zb\Wi)]} 

< nfI{V;Zf)+mm{nbI{Wi;Yb\W2),nbI{Wi;Zb\W2)}-5Ne (37) 

Inequality (a) holds because V^f = f~^{F) (the key derivation phase) and T is a deterministic function 
of (the encoding phase); equality (b) holds because V"'^ (T, B) ^ Z^' forms a Markov chain; 
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inequality (c) is due to the Makov chain Z^^ ^ {T,B) o Z^''; inequality (d) is due to the Makov chain 
{B,B2,T2) o o Zy; equality (e) holds since T2 and T are obtained independently of B2 and 
B; equality (f) holds since T2 and ,82 are parts of T and respectively; inequality (g) follows from 
(l28l) . (I3TI ). (l32l) . and (l33l) : inequality (h) follows from AEP, and equality (i) is due to the Markov chain 
W2 ^ Wi ^ Zb. Applying ^ and ([37]) in ^ gives 

H{S\Zy,Z]^-) > nf{I{V; Xf) - I{V; Zj)) + nl^Fs) - I{Wi; Zb\W2)]+ 

- l9Ne - H{F,B\S,T2,B2, Z^ , Z^"" ) 
= {nf + nb)Rs - l9Ne- H{F,B\S,T2,B2,Z]',Zi;') 
> H{S) - ime- H{F,B\S,T2,B2,Z]',ZJ^'), 

where the last inequality follows from ( |29l ). ■ 

Lemma 2: H{F,B\S, Ta, , ^ + 2ef?- 

Proo/; We shall show that the knowledge of {S,T2,B2, Z^"") gives almost all the information 
about F, B. From (xi), knowing S = i gives the partition Qi that F, B belongs to; further, knowing T2 = ^2 
and B2 = b2 gives the codeword lOg*^,^ G C2 which is used in the encoding phase (see (xii) and (xiii)). 
Define the codebook Cf = {v''f,w'^' : (f(f"0>&) ^ = Enc{i{v''f),b), T2 = t2, B2 = 52}. 

Given , Z^*" , one can search all the codewords in Cf and return a unique V"'^ , Vt^"' G Cf that is 
(e, nj)-bipartite jointly typical to {Z^ ,Z]^*) w.r.t. (-Pv,Z/, -fVi,Zb); otherwise return a NULL. From (xi), 
\Qi\ = 2^ , and so \Cf \ = 2'~''~^^, where rj2 = ?7t,2 + %,2- If 7 — ^2 is sufficiently smaller than nfI{V;Zf) + 
nbI{Wi; Zh), from joint- AEP for bipartite sequences (in Theorem |4]), the above jointly-typical decoding 
will result in arbitrarily small error probability. To prove 7 — ?/2 is smaller than nfI{V; Zf) + nbI{Wi; Z^), 
we first calculate the following term. 



Hence, 



nf{I{V- Yf) + q) + nb,iI{Wi- n) - n^P 

nfI{V; Xf) + nf{I{V; Yf\Xf) + 3a) + nb,iI{Wi;Yb) - 2nfa - UbP 
nfI{V;Xf) + nbI{Wi;Yb)-3nfa. 



1 -m = v- ("-/ + nb)Rs - 111,2 - 'nb,2 

< nfI{V; Xf) + nbI{Wi;Yb) - 3n^Q + nf[I{V; Zf) - I{V; Xf)] 

+nb[I{Wr,Zb\W2)-I{Wi-,Yb\W2)]-nb,2l{W2-,Yb)-nb,iI{W2;Yb) 

nbI{Wi;Yb) - Srifa + nfI{V; Zf) + nb[I{Wi; Zb\W2) - I{Wr,Yb\W2)] - nbI{W2; Yb) 

id) 



n 



fI{V- Zf) + nbI{Wr, Zb\W2) - Sufa 



< UfliV; Zf) + nbI{Wi] Zb) - 9iVe. 

Equality (a) follows from (x) and (xi), inequality (b) follows from the definition of Rg in (fTSl ). equality 
(c) follows from (ii), equality (d) is due to the Markov chain 14^2 ^ Wi ^ Yb, and inequality (e) 
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is due to the Markov chain W2 ^ Wi o Zf,. From Theorem |4] (joint-AEP for bipartite sequences), 
the decoding error probability becomes arbitrarily close to 0, i.e., given {S,T2, B2, Z^^ , Zj^''), we have 
Pr (^{V^'f ,W^'') / W^"")) < 2e. Let F = f(F"0 and B,f = EnciW^'), then we have 



Frf^{F,B)^{F,B)j < 2e. 
Using Fano's inequality lOj results in 

H{F,B\S,T,B,Zy ,Zl^') <H{F,B\F,B) < /i(2e) + 2er?, 

where h{e) = — elog(e) — (1 — e) log(l — e) is the binary entropy function. ■ 
Corollary 1: From Lemmas [T] and |2j for any arbitrarily 5 > 0, by choosing appropriately a,/3,e > 0, 
Eve's uncertainty rate about S is lower-bounded as 



Appendix B 
Proof of Theorem [2l the upper bound 

There are eight cases for a t-round SKE protocol, depending on the party who initiates the protocol, the 
one who calculates 5, and whether t is odd or even. We assume t is even, Alice is the initiator, and Bob 
calculates S. The other cases can be argued similarly and lead to the same result. Alice sends X^'""^ of 
length Uf^r in odd rounds r € {1, 3, . . . , t — 1}; Bob and Eve receive and Z ^ , respectively. Bob 

sends X^ of length rif, in even rounds r € {2, 4, ... , t}; Alice and Eve receive y;"-" and Z,"^-", 
respectively. Note that the forward and the backward channels are assumed to be used nj and rib times, 
respectively, and so 



Uf = rifr, and rih = nf,^, 



rg{l,3,...,t-l} rg{2,4,...,t} 



We denote views of Alice, Bob, and Eve at the end of round r, by Vj[, V^, and V^', respectively. For 
instance V'f is 



— \\\{odd)i<r 



X'- 



\even:i<r 



Vj^ and can be presented similarly. Fig. |4] illustrates the relationships between the sequences of RVs 
(and the keys), where two sequences are connected by an edge if (i) they belong to input/outputs of the 
same DMBC, or (ii) one is computed from the other by Alice or Bob, using a (possibly randomized) 
function. 

For an even r, at the end of round r — 1, Bob computes the sequence x^*""*^ using his view, V^~^, 
through a (possibly randomized) function 4>riR, ^b~^) where the randomness R is independent of other 
parties' views Vj^~^ and V^~^. He sends this sequence in round r, where the received sequences 
Yj-b.^-r z^''''"'^ are determined from x^''"'"^ through the backward channel transition matrix that 
is independently of the the views in round r — 1. Accordingly, 
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Fig. 4. The relations between sequences of RVs in a t-round SKE protocol 



forms a Markov chain, from which we derive the following four Markov chains, specifically used in the 
sequel, 

y^^-i o X,"^-" o y;'-", (38a) 

V^^-i o X,"^-" o y,"'-", (38b) 
(y;-- ^;^--)^V^-i^^..-i^ (38c) 

By symmetry, one can show Markov chains between variables when r is odd. The views of the parties 
at the end of the protocol are then ViewA = Vj^, Views = V^, and ViewE = V^. Bob computes the 
key e 5 as a function of V^* and Alice computes S S 5 as a function of V^. Note that the rate Rsk 
for an arbitrarily small (5 > is achievable if Q is satisfied. Using Fano's inequality for (l2bl ). we have 

H{S\ViewA) < H{S\S) < h{8) + 5H(S), (39) 

Furthermore, (l2cl ) gives 

I{S] ViewE) = H{S) - H{S\ViewE) < 6H{S). (40) 
For given Uf and n^, H{S) is upper bounded as 

H{S)=I{S;V^) + H{S\V^) 

<I{S; Vjl) + h{6) + 5H{S) - I{S; V^) + I{S; V^) 

< I{S; Vjl) - I{S; Ve') + h{5) + 25H{S) 

< I{S; Vj^IVe') + h{6) + 26H{S) (41) 
<im'; V^\Vj^) + h{5) + 25H{S) 

H{S) < -^[I{Ve'; V^\Ve') + h{6)]. (42) 
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Inequalities (a) and (b) follow from (1391 ) and (I401 ). respectively, and inequality (c) follows from the Markov 
chain S o o Vj^. The first term in ((4T]) is written as follows 



I{VB';Vjl\Vi^) 



(In)equalities (a)-(d) follow from the Markov chains ( |38a| )-( [38dl) . respectively, when r = t. By symmetry, 
one can write the second term in (|43l) as 



Repeating the steps in (1431 ) and (l44l ) t/2 times, we arrive at 

{odd)r<t {even)r<t 

For an odd (resp. even) r, define XJ (resp. X^^) such that 

^/ = — E ^z. ' (r-^P- = E )• 

Obtain Yf, ZJ (resp. y^-^ Z^O from the 2DMBC conditional distributions. We choose the RVs Xf, Yj, Zf 
and Xb,Yb,Zb that correspond to the 2DMBC distributions {PYf,Zf\Xf -Py^.z^IXt)' ^nd and Xh 
are selected to satisfy 

I{Xr,Yf\Zf) = max [/(X/; F/IZ/)], IiX,;Y,\Z,) = max [/(Xi''; y.-jZ^)], 

{odd)r<t ■' ' {even)r<t 



respectively. We continue (|45l ) as 

< Y ^LrHYf;Xf\Zf)+ Y nb,rIiXb;Yi,\Zh) 

{odd)r<t even:r<t 

= nfI{Xf,Yf\Zf) + nbI{Xt;Y!,\Zt). (46) 

Inequality (a) follows from Jensen's inequality since I{Xf;Yf\Zf) and I{Xh;Yh\Zb) are concave 
functions of and Px^, respectively (see e.g., ^TT\ Appendix-I]). We have shown that for any SKE 
protocol, there exist RVs for which (l46l ) holds. 

Using (l2ab . (|4TI ) and (l46l ). we have the following upper bound on i^^fc 

i2.fe< H{S) + 5 

Uf + 12^ 

nfI{Xf;Yf\Zf) + nbIiXb;Yb\Zb) + h{5) 
< (i_25)(n; + n6) 

<max{/(X;; y^jZ^), /(X;,; Y,\Zh)}, 
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where the last inequaUty follows from the fact that 5 is arbitrarily small. This proves the upper bound in 



Appendix C 
Proof of Theorem^ degraded 2DMBCs 

Lemma 3: For the degraded DMBC as defined in Definition |51 we have I{X;Y\Z) < I{Xo;Yo\Zo). 
Proof: 

I{X-Y\Z) = I{Xo,Xr-Yo,Yr\Zo,Zr) 
= I{Xo;Yo,Yr\Zo, Zr) + I{Xr; Yo,Yr\Zo, Zr, Xq) 
I{Xo-^Yo\Zo, Zr) + I{Xr; Yr\Zo, Zr, Xo) 

(b) 

y I{Xo;Yo\Zo,Zr) < I{Xo;Yo\Zo). 

Equalities (a) is due to the Markov chains Xq ^ Zr o Yr and Xr o Xq ^ Yq, equality (b) is due 
to Xr -ir^ Zr-h- Yr, and equality (c) is due to Zr o Xq Yq. ■ 
C'^-'^^MBC yppgj. bounded as (see Theorem ^ 

< max {IiXf^o;yf,o\Zf,o)JiXb,o;Yb,o\Zb,o)}, (47) 

where the last inequality follows from Lemma [3] On the other hand, the lower bounded in ^ holds for 
C'^-'^'^^'BC _ Starting from ©, we write La as 

"n6[I(X6,o;n)-/(^6,o;^6)]- 



(a) 

La > max 

nf,nb,Pxf,Px 



Uf + nb 



> max [L{Xb,o; Yb) - I{Xb,o; Zb)]+ 

(c) 

= max[/(Xfe_o;^fe,o) - I{Xb,o]Zb,o)]+ 

= max[I{Xb,o;Yb,o\Zb,o)]- (48) 

^^b,o 

Inequality (a) follows from choosing Vf = 0, W2fi = 0, and Wi^b = Xb,o- Since the argument to be 
maximized in the right hand of inequality (a) is independent of Pxf , we remove Pxf from the expression. 
Inequality (b) is obtained by choosing sufficiently larger than n/ and letting Xb^R have a constant value. 
Equality (c) holds since Xb^R, and hence Yb^R and Zb^R, are independent of Xb^o- By symmetry, one can 
show that 

LB>max[L{Xf,o;Yf^o\Zf,o)]. (49) 
Combining (|47])-(|491) proves the theorem. 
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Appendix D 

Proof of Theorem |4l Joint- AEP for bipartite sequences (in Appendix |A]) 

Part 1) To prove Pr{{X^,Y^) G A^^'''^) 1 
We shall show that with high probability X'^ and are (e, n) -bipartite typical sequences as in © and 
(X^, Y^) satisfy (fTTI) in Definition [8] For large enough n and d, by the weak law of large numbers, we 
have 

-ilogP[/(?7") -> ~E[logPu{U)] = H{U) in probability 
^ 3ni : Vn > 7ii,Pr(| - 1 logPc/(C/") - >£)<§, 

Similarly, we can conclude the following for the other parts of the sequences. 

3di : Vd >di,Pr(| - i log Pt(T'^) - H{T)\ > e) < f , 
3n2 : Vn > n2,Pr(| - i log P^;, ([/'") - | > e) < f, 

3d2 : Vd > d2,Pr(| - 1 logPT'(r"^) - H{T')\ > e) < f . 

Since these sequences are i.i.d., we have 

log P(X^) = logP[/(;7") + log PT(r<^), 
logp(y^) = logPi7'(t/'") + logPr'(r'"'), 

which finally results in 

Vn > ni,Vd > di,Pr(| - ^logP(X^) - ^H{U)+dH(T) ^ > e) < §, (50) 
Vn > 7^2, Vd > d2,Pr(| - ^logP(y^) - ^HiU')+dH{T-) 1 > ,) < |. (51) 

The same approach results in the following relations for the joint distribution, 

3n3 : Vn > n3,Pr(| - i log Pt,T' (T^ T"^) - F(T, T')| > e) < f , 

3^3 : Vd>(i3,Pr(|-ilogPc/,c/'(f/",C/'")-mf/')l >e) < §, 
^ Vn > n3,Vd > d3,Pr(| - ^ log P(X^, F^) - "^(^.^O+^^CT.TO , ^ ^ ^52) 

By choosing n > maxjni, n2, ns} and d > maxjdi, 1^2, ^3}, (l50l) . (ISTl) . and (l52l ) are satisfied. The 
probability union bound (over these three equations) states that {X^ , Y^) ^ A^^'"^ holds with probability 
less than e, i.e., Pr((X^, Y^) € ^e^'"^) > 1 — e. This proves the first part of the theorem. 

Part 2) To prove (1 - e)2"^^(f^'C^')+dH(T,T')-7Ve < < 2nH(U,U')+dH(T,r)+Ne 

and 
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l_e< ^ p^^N^yN^^^^^iN,n)^2-^HiU,U')-dHiT,T')+Ne 
=^ > (1 - ^)2'^H{U,U')+dH{T,T')-Ne^ 



Both inequalities (a) and (b) follow (d2]) . 

Part 3j To prov^- (1 - e)2~^iium-di{T;T')-me < Pr((x^,y^) g 4^'")) < 2-«AC/;t^')-d/(T;T')+37V. 
Note that and are independent and Pr{X^ = = y^) = P{x^)P{y^). Using dSO]), 

(ISTT l. and dSll), we have 

Pr((X^,y^) = J] P(x^)P(y^) 

< ^nH{U,U')+dH{T,T')+Nt^ ^~nH{U)-dH(T)+Nt'^ ^-nH{U')~dH(T')+Ne 
_ 2-nI{U;U')-dI{T;T')+3Ne 

and 



> (^1 _ ^2'"'^(^''^')+'^^('^'^')~^'^^ ^2-"^{'^)-'^'f^(^)-^^^ ^-nH{U')-dH{T')-Nt 



(1 - 6)2- 



-nI{U;U')-dI{T;T')-3Ne 



